HIPAA Enforcement Activity in December 2019

In December 2019, the Department of Health and Human Services’ Office for Civil Rights had two more enforcement actions taken against covered entities that were found to have broken the HIPAA Regulations.

The first financial penalty announced by OCR was for a settlement with Korunda Medical LLC. This was Korunda Medical LLC’s second financial penalty under OCR’s HIPAA Right of Access Initiative. OCR received a complaint from a patient whom Korunda Medical failed to furnish with a copy of her health records and so investigated the HIPAA-covered entity. OCR provided the provider with technical assistance, but another patient filed an identical complaint a couple of days later. Therefore, it was determined that a financial penalty was appropriate. Korunda Medical resolved the case by paying $85,000.

The second penalty issued was against West Georgia Ambulance because of multiple HIPAA Rules violations. OCR investigated the covered entity after receiving a breach report regarding a missing unencrypted laptop computer. OCR uncovered the long-drawn-out noncompliance of West Georgia Ambulance with respect to a number of areas of the HIPAA Regulations. The violations include not conducting a risk analysis, not providing employees with training on security awareness, and failing to implement the policies and procedures required by the HIPAA Security Rule. West Georgia Ambulance paid OCR $65,000 to settle the case.

HIPAA Enforcement Actions in 2019

In 2019, OCR issued a total of 10 financial penalties on covered entities and business associates. Two were Civil Monetary Penalties and 8 were settlements with total penalties of $12,274,000 paid.